We are in the process of combining the SharePoint Server 2013 and SharePoint Server 2016 content into a single content set. We appreciate your patience while we reorganize things. See the Applies To tag at the top of each article to find out which version of SharePoint an article applies to.

Applies to: SharePoint Server 2013

Topic Last Modified: 2016-12-16

Summary: Learn how to grant the appropriate permissions in Active Directory Domain Services that are used for profile synchronization by the User Profile service in SharePoint Server 2013.

This article contains procedures that an Active Directory Domain Services (AD DS) administrator can use to configure the permissions that are required to synchronize profile information with SharePoint Server 2013. The "Plan account permissions" section of Plan for profile synchronization describes the required permissions for various circumstances.

The procedures in this article use the phrase "synchronization account" for the account to which you grant permissions. The synchronization account is the account that SharePoint Server uses to connect to AD DS during profile synchronization.

Administrators typically use the SharePoint Central Administration website and the SharePoint Management Shell to manage deployments. For information about accessibility for administrators, see Accessibility for SharePoint 2013.
Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide. SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

Use this procedure to grant Replicate Directory Changes permission on a domain to an account.

The Replicate Directory Changes permission enables the synchronization account to read AD DS objects and to discover AD DS objects that have been changed in the domain. The Grant Replicate Directory Changes permission does not enable an account to create, modify or delete AD DS objects.

If the Default naming context node is not already present, do the following:

In the navigation pane, click ADSI Edit.

On the Action menu, click Connect to.

In the Connection Point area of the Connection Settings dialog box, click Select a well know Naming Context, select Default naming context from the drop-down list, and then click OK.

In the navigation pane of the ADSI Edit window, expand the domain, expand the DC=... node, right-click the OU to which you want to grant permission, and then click Properties.

On the Security tab of the Properties dialog box, click Advanced.

In the Advanced Security Settings dialog box, select the row whose value in the Name column is the synchronization account and whose value in the Inherited From column is <not inherited>, and then click Edit. If this row is not present, click Add, click Locations, select Entire Directory, click OK, type the synchronization account, and then click OK. This adds the appropriate row, which you can now select.

Note:

Do not select the row for the synchronization account that is inherited from another location. Doing so would only enable you to apply the permissions to the OU and not to the contents of the OU.

In the Permission Entry dialog box, select This object and all descendant objects from the Apply to box, (select This object and all child objects on Windows Server 2003), select the Allow check box in the rows for the Write all properties and Create all child objects properties, and then click OK.